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ABSTRACT 

Contract-based  design  is  emerging  as  a  unifying  composi¬ 
tional  paradigm  for  the  specification,  design  and  verifica¬ 
tion  of  large-scale  complex  systems.  Yet,  different  contract 
frameworks  are  currently  available,  without  a  clear  under¬ 
standing  of  the  relations  between  them.  In  this  paper,  we 
investigate  the  relation  between  interface  theories  (specif¬ 
ically,  relational  interfaces)  and  assume-guarantee  (A/G) 
contracts,  revealing  some  of  the  subtleties  involved.  We 
show  that  the  natural  transformation  of  interfaces  to  A/G 
contracts  represented  by  LTL  formulas  preserves  refinement, 
but  does  not  generally  preserve  serial  composition,  and  we 
present  an  assumption-projection  operator  to  remedy  the 
latter  issue.  We  also  discuss  the  properties  of  our  trans¬ 
formation  with  respect  to  conjunction.  Finally,  we  provide 
illustrative  examples  that  shed  light  on  the  effectiveness  of 
both  frameworks  for  requirement  formalization,  early  detec¬ 
tion  of  integration  errors,  and  principled  use  of  abstraction- 
rehnement. 

1.  INTRODUCTION 

Designing  large  and  complex  embedded  and  cyber-physical 
systems  (such  as  “smart”  buildings,  “smart”  transportation, 
energy,  security,  and  health-care  systems),  cannot  be  done 
in  a  monolithic  manner.  Instead,  designers  naturally  use 
compositional  methods,  which  allow  to  assemble  a  large  and 
complex  system  from  smaller  and  simpler  components  (e.g., 
pre-defined  library  blocks  or  subsystems).  Methodologies 
such  as  component-based  design  [1]  and  contract-based  de¬ 
sign  [2]  (GBD)  are  emerging  as  unifying  formal  composi¬ 
tional  paradigms.  They  support  requirement  engineering  by 
providing  rigorous  formalisms  to  capture  the  correct  tran¬ 
sition  between  different  abstraction  levels  in  system  design. 
Moreover,  they  offer  mechanisms  for  early  detection  of  inte¬ 
gration  errors,  e.g.,  by  checking  compatibility  between  the 
components  locally,  before  performing  global  system  verifi¬ 
cation. 

Yet,  different  formal  theories  of  components  and  contracts 
have  been  proposed  in  the  literature,  and  there  is  currently 
no  clear  understanding  of  the  relations  between  them.  This 
paper  aims  to  fill  this  gap. 

We  focus  in  particular  on  the  relation  between  the  so- 
called  interface  theories  [1],  such  as  interface  automata  [3] 


and  relational  interfaces  [4] ,  on  the  one  hand,  and  the  assume- 
guarantee  (A/G)  contract  framework  proposed  in  [5,6],  on 
the  other  hand.  Examining  the  relation  between  these  two 
frameworks  is  interesting  because,  while  having  the  same 
overall  objectives,  they  are  supported  by  quite  different  math¬ 
ematical  theories.  For  instance,  in  an  A/G  contract  the 
assumptions  made  on  the  environment  and  the  guarantees 
provided  by  the  system  are  modeled  as  separate  sets  of  be¬ 
haviors,  whereas  in  interface  theories  the  two  are  “merged” 
into  a  single  model,  called  an  interface. 

In  addition,  interfaces  generally  rely  on  the  distinction  be¬ 
tween  inputs  and  outputs.  The  fact  that  an  interface  may 
not  be  input- complete  (i.e.,  accept  any  input  at  any  time)  is 
essential  and  leads  to  game-theoretic  definitions  of  composi¬ 
tion  and  refinement.  On  the  other  hand,  A/G  contracts  cap¬ 
ture  assumptions  and  guarantees  as  sets  of  behaviors  over 
a  common  set  of  variables,  in  general  with  no  distinction 
between  inputs  and  outputs  (e.g.,  for  composition). 

These  differences  result  in  different  definitions  of  key  ele¬ 
ments  of  the  theories,  such  as  composition  and  refinement. 
This  paper  aims  to  shed  light  on  the  subtle  differences  be¬ 
tween  the  two  frameworks.  To  be  concrete,  we  start  from  the 
theory  of  synchronous  relational  interfaces  [4].  We  choose 
stateless  relational  interfaces  rather  than  other,  more  gen¬ 
eral  interface  theories,  such  as  interface  automata,  as  the 
former  are  simpler  and  can  offer  more  intuitive  support  to 
our  investigation.  We  provide  an  operator  which  transforms 
a  relational  interface  into  an  A/G  contract,  in  the  natural 
way.  In  particular,  a  relational  interface  represented  as  a 
formula  <j)  on  inputs  and  outputs  is  mapped  into  a  set  of  be¬ 
haviors  representing  the  safety  property  that  (j>  holds  at  ev¬ 
ery  (synchronous)  step.  This  can  be  concretely  represented 
by  the  LTL  formula  □</. 

We  then  study  the  preservation  properties  of  the  above 
transformation.  We  show  that,  perhaps  surprisingly,  the  ba¬ 
sic  operation  of  serial  composition  of  interfaces  is  not  pre¬ 
served.  Specifically,  composing  two  interfaces  7i  and  I2, 
and  then  transforming  the  result  to  an  A/G  contract,  is  not 
equivalent  to  first  transforming  each  of  li  and  /2  to  an  A/G 
contract,  and  then  composing  the  contracts.  The  reason  for 
this  is  that  the  interface  compatibility  check  is  “built  into” 
the  interface  composition  operator,  so  that  if  the  interfaces 
are  incompatible,  the  result  of  the  composition  is  False.  On 
the  other  hand,  A/G  contracts  have  no  a-priori  notion  of 
compatibility  during  composition.  Although  compatibility 
can  be  checked  a-posteriori  on  the  composite  contract  using 
the  notion  of  c-receptiveness  [5],  the  latter  provides  a  yes/no 


answer  and  does  not  infer  new  environment  assumptions,  as 
in  the  case  of  interface  composition. 

To  remedy  this,  we  introduce  an  assumption-projection 
operator  for  A/G  contracts.  The  latter  eliminates  (“hides”) 
a  given  set  of  variables  (only)  from  the  assumption,  using 
universal  (i.e.,  game-theoretic)  rather  than  the  usual  exis¬ 
tential  quantification.  We  show  that  with  this  hiding  oper¬ 
ator  the  transformation  preserves  the  semantics  of  interface 
composition.  Unfortunately,  LTL  formulas  are  not  generally 
closed  under  variable  elimination  (projection).  It  is  there¬ 
fore  unclear  how  to  implement  this  hiding  operator  at  the 
A/G  contract  level. 

We  also  show  that  our  transformation  preserves  refine¬ 
ment,  that  is,  interface  refinement  between  interfaces  7i  and 
1 2  is  equivalent  to  A/G  contract  refinement  between  the 
corresponding  A/G  contracts.  However,  another  interest¬ 
ing  operator,  that  of  conjunction  (called  shared  refinement 
in  [4])  is  not  preserved.  The  reason  is  another  crucial  dif¬ 
ference  between  the  two  frameworks.  While  A/G  contracts 
reason  about  global  behaviors  of  components,  possibly  span¬ 
ning  infinite  sequences  of  reactions,  relational  interfaces  can 
also  capture  punctual  relations  between  the  inputs  and  out¬ 
puts  of  a  component,  at  the  granularity  of  a  single  reaction 
index.  Therefore,  computation  of  conjunction  as  the  great¬ 
est  lower  bound  (GLB)  with  respect  to  the  refinement  order, 
generates  a  smaller  set  of  allowed  environments  and  a  larger 
set  of  guaranteed  behaviors  for  A/G  contracts,  which  trans¬ 
lates  into  a  tighter,  less  conservative,  bound.  As  a  result,  the 
contract  associated  with  the  conjunction  of  interfaces  7i  and 
I2  refines,  but  is  generally  different  than,  the  conjunction  of 
the  contracts  associated  with  7i  and  72. 

Related  Work:  Despite  the  proliferation  of  work  on 
compositional  theories  in  general,  and  interface  and  contract 
theories  in  particular,  there  is  little  work  that  attempts  at 
drawing  links  between  the  existing  frameworks.  The  au¬ 
thors  in  [6]  propose  a  general  “meta-theory”  of  contracts, 
expressed  in  terms  of  sets  of  implementations  and  environ¬ 
ments,  and  from  which  both  interface  theories  and  A/G  con¬ 
tracts  can  be  instantiated.  Following  a  similar  approach,  the 
work  in  [7]  attempts  at  providing  an  abstract  formalization 
of  the  notion  of  contracts  by  relating  “specification  theories” 
to  “contract  theories”.  In  this  paper,  instead  of  recurring  to 
a  common,  more  abstract,  meta-theory,  we  aim  to  directly 
map  interfaces  to  A/G  contracts  and,  as  a  result,  reveal 
some  of  the  subtle  differences  in  the  two  frameworks. 

Another  theory  of  A/G  contracts  is  proposed  in  [8]  to 
support  rich  component  interactions  by  replacing  the  no¬ 
tion  of  parallel  composition  with  the  one  of  circular  reason¬ 
ing.  However,  compatibility  and  conjunction  are  not  ad¬ 
dressed  in  this  framework.  On  the  other  hand,  in  [9],  an 
interface  model  similar  to  relational  interfaces  is  proposed, 
except  that  assumptions  on  input  variables  and  guarantees 
on  output  variables  are  separated  in  two  different  formu¬ 
las.  This  type  of  “assume-guarantee  interfaces”  are  a  strict 
subclass  of  relational  interfaces,  since  the  latter  can  model 
relations  between  input  and  output  variables,  which  cannot 
be  captured  in  the  former. 

The  rest  of  the  paper  is  organized  as  follows.  We 
briefly  summarize  relational  interfaces  and  A/G  contracts 
in  Section  2.  In  Section  3,  we  present  the  main  results  of 
the  paper  together  with  several  illustrative  examples.  Fi¬ 
nally,  in  Section  4,  we  draw  some  conclusions. 


2.  BACKGROUND 

We  recall  the  salient  parts  of  the  relational  interface  and 
A/G  contracts  frameworks. 

2.1  Synchronous  Relational  Interfaces 

For  simplicity,  we  restrict  ourselves  to  stateless  interfaces. 
A  (relational)  interface  is  a  tuple  7  =  {X,  Y,  fi)  where  X  and 
Y  are  finite  sets  of  input  and  output  variables,  respectively, 
and  is  a  logical  formula  on  the  variables  in  XuY.  The  sets 
of  input  and  output  variables  must  be  disjoint:  X  nY  —  0. 
To  relate  to  A/G  contracts,  we  assume  that  all  variables  in 
XuY  range  over  the  same  set  of  values  77.  A  valuation  over 
U  is  a  function  u  :  U  — >■  77  where  77  is  the  set  of  possible 
values  for  the  variables.  A  valuation  v  over  V  satisfies  a 
formula  (j>  over  the  same  set  of  variables  V ,  written  v  \=  (j>,  if 
replacing  free  variables  in  (j>  by  their  value  as  specified  by  v 
yields  a  formula  that  evaluates  to  True.  A  formula  (j>  defines 
the  following  set  of  behaviors: 

[(/]  :=  {vqVxV2  ■  ■  ■  \  'ii  :  Vi\=  (j)}. 

Note  that  |(/]  is  a  safety  property. 

Given  interface  7  =  {X,Y,(f>),  the  input  assumption  de¬ 
fined  by  is  the  formula  in{(f>)  ~  3Y  :  </,  where  3Y  : 
is  3^1  :  3j/2  :  •  •  •  3j/„  :  <j>  when  Y  =  {yi,  1/2,  •••,  J/n}-  in{4>) 
characterizes  the  legal  inputs.  An  input  is  considered  illegal 
if  there  is  no  output  which  can  satisfy  (f)  for  that  input.  Note 
that  in{<f))  is  a  formula  on  X  only,  as  variables  in  Y  have 
been  eliminated  by  existential  quantification.  For  example, 
if  A  =  {a:},  Y  =  {y},  and  4>isx>0Ay  =  x,  then  in{(j))  is 
a;  >  0.  If  (/  is  a:  >  0  — >■  2/  =  X,  then  in{<j))  is  True. 

Composition:  Serial  composition  of  two  interfaces  7i  = 
{XijYi,  fii)  and  I2  =  [X2,Y2,4>2)  can  be  defined  provided 
all  sets  Xi,  Yi,  X2,  Y2  are  pairwise  disjoint,  except  possibly 
the  pair  Yi,  X2.  Let  14  =  VinAa.  The  interpretation  is  that 
variables  in  14  are  outputs  of  7i  which  are  connected  to  in¬ 
puts  of  I2.  Note  that  we  allow  14  to  be  empty,  in  which  case 
serial  composition  reduces  to  parallel  composition  (where 
no  connections  between  the  two  interfaces  exist).  Then,  the 
composite  interface  7i  ^  I2  is  defined  to  be  the  interface 

7i  ^  72  :=  (Ai  U  A2  \  Hi,  Ti  U  Ha,  j>) 

where 

</  =  </i  A  1/2  A  VYi  :  (fii  ->•  in{(j>2))  ■ 

7i  and  I2  are  said  to  be  compatible  interfaces  if  (j>  is  satisfi- 
able,  i.e.,  if  is  not  equivalent  to  False. 

Refinement:  Given  two  interfaces  7i  =  (Ai,  Yi,(/i)  and 
I2  =  (A2,  Y2,  <('2),  we  say  that  7i  refines  I2,  written  7i  C  I2, 
iff  Ai  C  A2,  Yi  U  Y2  and  the  following  formula  is  valid  (i.e., 
true  under  all  valuations): 

in{(j)2)  {in{(j>x)  A  (1/2 

Shared  refinement:  Two  interfaces  7i  =  (A,  Y, />i)  and 
I2  =  (A,  Y)  fp2)  are  said  to  be  shared-refinable  if  the  following 
formula  is  true: 

VA  :  ((in(</i)  A  in{cj,2))  ^  (3Y  :  (</i  A  </2))) 

If  7i  and  I2  are  shared-refinable,  their  shared  refinement, 
denoted  7i  n  72,  is  defined  to  be  the  interface  7i  n  72  := 
(A,  Y,(j)u),  where 

fin  ■=  {in{fii)  V  in{fi2))  A  {in{fii)  ->•  fifi)  A  {in{fi2)  fi2) 


It  can  be  seen  that  I\  12,  when  it  exists,  is  guaranteed  to 
rehne  both  7i  and  I2,  which,  as  argued  in  [5,9],  is  important 
for  component  reuse  (see  also  [10]). 

2.2  Assume/Guarantee  Contracts 

Following  [5],  [6],  an  assume-guarantee  (A/G)  contract 
is  a  pair  {A,  G)  where  A  and  G  are  sets  of  behaviors.  A 
represents  the  assumptions  that  a  system  makes  on  its  envi¬ 
ronment,  and  G  represents  the  guarantees  provided  by  the 
system  under  the  environment  assumptions.  The  A/G  con¬ 
tract  framework  is  abstract  in  the  sense  that  it  does  not 
predefine  the  type  of  behaviors.  Behaviors  can  be  of  differ¬ 
ent  kinds  (e.g.,  discrete  or  continuous,  finite  or  infinite  in 
length)  and  they  can  be  concretely  represented  using  differ¬ 
ent  formalisms,  e.g.,  automata,  temporal  logic,  differential 
equations.  For  the  purposes  of  this  paper,  we  consider  a 
specihc  type  of  behaviors,  in  order  to  establish  our  results. 
We  therefore  equip  a  contract  with  a  finite  set  of  variables 
V.  A  behavior  over  V  is  an  infinite  sequence  of  valuations 
over  V,  p  =  V0V1V2  ■  ■  ■  ■  In  the  sequel,  an  A/G  contract  will 
be  a  triple  (V)  A,  G)  where  A  and  G  are  sets  of  behaviors 
over  V . 

Often  contracts  are  assumed  to  be  in  saturated  (canon¬ 
ical)  form,  meaning  that  they  satisfy  A  C  G,  where  A  is 
the  complement  of  A.  In  the  sequel  we  assume  that  con¬ 
tracts  are  given  in  saturated  form.  This  is  not  a  restrictive 
assumption  as  we  can  always  transform  a  contract  (V)  A,  G) 
into  its  saturated  form  (V)  A,  G')  where  G'  GU  A. 

Satisfaction:  A  contract  is  to  be  realized  by  an  imple¬ 
mentation,  modeled  as  a  set  of  behaviors  M  over  the  same 
set  of  variables.  A  set  of  behaviors  M  over  V  satisfies  a 
contract  C  =  {V,  A,  G),  written  M  ]=  C,  when  it  satisfies  its 
guarantee  subject  to  the  assumption;  formally,  M  n  A  C  G. 
Similarly,  a  contract  admits  a  set  of  legal  environments, 
each  modeled  as  a  set  of  behaviors  E  over  the  same  set  of 
variables.  A  set  of  behaviors  E  over  V  satishes  a  contract 
G  =  (V,  A,  G)  as  an  environment,  written  E  C,  when  it 
satisfies  its  assumption;  formally,  E  C-  A. 

Composition:  Gomposition  of  contracts  can  be  used 
to  construct  composite  contracts  out  of  simpler  ones.  Let 
Gi  =  {V,  Ai,  Gi)  and  C2  =  {V,  A2,  G2)  be  contracts  (in  satu¬ 
rated  form)  over  the  same  set  of  variables  V.  The  composite 
contract  Gi  (8)  C2  is  dehned  as  the  triple  (V)  A,  G)  where  [6]: 

A=  (Ai  n  A2)  u  (Gi  nG2)  (1) 

G=  GinG2.  (2) 

Note  that  contract  composition  preserves  saturated  form, 
that  is,  if  Gi  and  C2  are  in  saturated  form,  then  so  is  G\®G2. 
Moreover,  G)  is  associative  and  commutative  and  generalizes 
to  an  arbitrary  number  of  contracts.  We  therefore  can  write 

Cl  (8>  C2  <8>  •  •  •  G>  Gn- 

In  order  for  composition  to  be  defined,  contracts  need  to 
be  over  the  same  set  of  variables  V .  If  this  is  not  the  case, 
then,  before  composing  the  contracts,  we  must  hrst  extend 
their  behaviors  to  a  common  set  of  variables  using  an  inverse 
projection  type  of  transformation.  We  call  this  process  al¬ 
phabet  equalization.  Formally,  let  G  =  (V,  A,  G)  be  a  con¬ 
tract  and  let  V'  he  the  set  of  variables  on  which  we  want 

to  extend  G.  The  extension  of  G  on  V'  is  the  new  contract 
G'  =  {V' ,  A' ,G')  where  A'  and  G'  are  sets  of  behaviors  over 
V' ,  defined  by  inverse  projection  of  A  and  G,  respectively. 
In  the  sequel,  we  freely  compose  contracts  Gi  =  (Vi,  Ai,  Gi) 
and  G2  =  (V2,  A2,  G2)  over  arbitrary  sets  of  variables  V\,  V2, 


by  implicitly  first  taking  their  extensions  to  F  =  Vi  U  V2. 

Compatibility:  A  saturated  contract  G  =  {V,  A,  G)  is 
called  compatible  if  there  exists  a  legal  (non-empty)  envi¬ 
ronment  E  for  G,  i.e.  if  and  only  if  A  7^  0.  This  definition 
can  then  be  lifted  to  pairs  of  contracts,  so  that  two  contracts 
Gi  and  G2  are  compatible  iff  Gi  ®  C2  is  compatible. 

Some  works  (e.g.,  [2,5])  present  versions  of  the  A/G  con¬ 
tract  theory  which  distinguish  between  input  (uncontrolled) 
and  output  (controlled)  variables.  The  definition  of  contract 
composition  is  not  changed  in  that  case,  but  a  new  notion 
of  contract  compatibility  can  be  defined.  Let  c  C  F  be  the 
subset  of  controlled  variables  of  G.  Then  G  is  compatible  iff 
A  is  c-receptive,  i.e.  iff  for  all  behaviors  p'  restricted  to  vari¬ 
ables  in  c,  there  exists  a  behavior  p  £  A,  such  that  p'  and  p 
coincide  over  c.  Intuitively,  an  environment  has  no  control 
on  the  variables  set  by  an  implementation,  and  therefore  A 
accepts  any  history  offered  to  the  subset  c  of  its  variables. 

Consistency:  A  saturated  contract  G  =  (F,  A,  G)  is 
called  consistent  if  there  exists  a  non-empty  implementation 
M  for  G,  i.e.  if  and  only  if  G  yf  0.  As  with  compatibility, 
consistency  can  also  be  lifted  to  pairs  of  contracts,  so  that 
Gi  and  G2  are  consistent  iff  Gi  G)  G2  is  consistent. 

Refinement:  We  say  that  contract  Gi  =  (F,  Ai,Gi)  re¬ 
fines  contract  G2  =  (F,  A2,G2)  (with  Gi  and  C2  both  in 
saturated  form),  written  Gi  G  G2,  if  and  only  if  Ai  D  A2 
and  Gi  C  G2.  Refinement  amounts  to  relaxing  assumptions 
and  reinforcing  guarantees,  therefore  strengthening  the  con¬ 
tract.  Glearly,  if  M  ]=  G'  and  C'  G  G,  then  M  ]=  G. 
On  the  other  hand,  if  E  \=e  G,  then  E  \=e  G' .  In  other 
words,  contract  G'  refines  another  contract  G,  if  G'  admits 
less  implementations  than  G,  but  more  legal  environments 
than  G.  This  is  a  standard  concept  inspired  by  the  notion 
of  behavioral  subtyping  [7] . 

Conjunction:  The  conjunction  of  two  contracts  Gi  = 
(F,  Ai,Gi)  and  G2  =  (F,  A2,G2)  is  defined  to  be  the  con¬ 
tract  Gi  A  G2  =  (F,  Ai  U  A2,  Gi  n  G2).  Conjunction  of  A/G 
contracts  is  similar  to  shared  refinement  in  interfaces.  Note, 
however,  that  shared  refinement  of  interfaces  is  not  always 
dehned,  whereas  conjunction  of  A/G  contracts  is  always  de¬ 
hned. 

2.3  LTL  A/G  Contracts 

To  work  with  A/G  contracts,  we  may  concretely  express 
the  sets  of  behaviors  A  and  G  as  formulas  in  linear  temporal 
logic  (LTL)  [11].  An  LTL  A/G  contract  is  then  a  triple 
(y,ipa,g>g),  where  pa  and  pg  are  LTL  formulas  over  the 
set  of  variables  F.  For  instance,  if  F  =  {x,  y}  and  x,  y 
are  both  integer  variables,  a  possible  LTL  A/G  contract  is 
(F,  Dx  >  0,ni/  >  0).  An  LTL  formula  represents  a  set  of 
behaviors.  For  example,  the  formula  \Ax  >  0  represents  the 
set  of  all  behaviors  where  x  is  never  negative. 

Most  operations  on  contracts  can  be  implemented  as  op¬ 
erations  on  LTL  formulas  in  a  straightforward  way.  For  in¬ 
stance,  saturation  of  (V,pa,Pg)  can  be  achieved  by  setting 
Pg  ■■=  Pa  Pg-,  checking  that  (F,  Pa,  Pg)  rehnes  (F,  p^,  p'g) 
amounts  to  checking  that  p'^  — >■  Pa  and  pg  — >■  p'g  are  both 
valid. 

3.  FROM  SYNCHRONOUS  RELATIONAL 
INTERFACES  TO  A/G  CONTRACTS 

Definition  3.1  (Gontract  Associated  with  an  Interface). 
An  interface  I  =  (X,  Y,  </)  can  be  transformed  into  a  contract 


(a)  (b) 


Figure  1:  Pictorial  representation  of  the  relational 
interfaces  in  Example  1  (a)  and  Example  2  (b). 

C  =  J(7)  =  {V,  A,  G)  where 

V--XUY,  A-.=  ain{<j}),  G  :=  ^  acj)} 

We  eall  G  the  eontract  associated  with  I  under  the  trans¬ 
formation  tA. 

Even  though  in{(j>)  is  a  formula  over  only  the  set  of  input 
variables  X,  when  we  define  A  we  choose  to  interpret  in^cf) 
over  the  entire  set  of  variables  V  =  X  U  Y .  In  fact,  both  A 
and  G  in  a  contract  are  defined  as  behaviors  over  the  same 
set  of  variables.  Moreover,  we  conveniently  express  the  sets 
of  behaviors  in  A  and  G  as  LTL  formulas,  where  □(/>  de¬ 
notes  the  set  of  behaviors  [(^|.  By  definition,  contract  A{I) 
is  in  saturated  form.  In  what  follows,  we  analyze  the  be¬ 
havior  of  the  proposed  transformation  with  respect  to  serial 
composition,  refinement  and  conjunction. 

3.1  Serial  Composition  and  Compatibility 

We  would  expect  that  A  preserves  serial  composition,  i.e., 
for  the  interfaces  Ii  and  I2,  A(Ii  I2)  =  A{Ii)  ®  A{l2) 
holds.  However,  this  is  not  true  in  general,  as  shown  by  the 
following  example. 

Example  1.  Consider  the  interfaces  I\  =  ({a;},{2/},  True) 
and  I2  =  ({?/},  0,r/  >  0),  shown  in  Fig.  1(a).  We  have 
^'{h)  =  {{x,y},  True,  True)  and  A{l2)  =  \{x,y},U{y  > 
0),  True).  Moreover,  since  Ii  I2  =  {{x} ,  {y} ,  False) ,  we 
have  A{Ii  I2)  =  {{x,y}.  False,  True).  On  the  other  hand, 
we  also  obtain  A{Ii)  iSi  A{l2)  =  {{x,y},\I\{y  >  A),  True), 
which  is  clearly  not  equal  to  A{Ii  h). 

The  difference  highlighted  by  Example  1  can  be  intuitively 
explained  by  the  incompatibility  of  li  and  I2.  This  is  cor¬ 
rectly  expressed  by  being  False  and  reflected  into  the 

assumptions  of  T(/i  I2),  which  are  also  False,  meaning 
that  the  contract  A{Ii  I2)  is  also  incompatible,  i.e.  any 
component  satisfying  A{Ii  1 2)  cannot  be  hosted  by  any 
environment.  On  the  other  hand,  such  incompatibility  is 
not  immediately  detected  using  T(/i)  ®  A{l2),  which  seems 
to  indicate  that  any  sequence  y„  satisfying  i/n  >  0  for  all 
n  G  N  is  admitted.  Only  after  observing  that  y  is  a,  con¬ 
trolled  variable,  we  can  finally  conclude  that  T(7i)  (8  A{l2) 
is  incompatible,  since  its  assumptions  are  not  y-receptive. 

As  a  second  attempt,  we  may  try  to  prove  that  serial  com¬ 
position  is  preserved  provided  the  interfaces  are  compatible. 
Example  2  shows  that  this  is  not  the  case  either. 

Example  2.  Consider  the  interfaces  I3  =  ({*},  {y},y  >  a;) 
and  I2  =  {{y},^,y  >  0),  shown  in  Fig.  1(b).  We  have 
A{h)  =  {{x,y},True,a{y  >  x)),  Aih)  =  {{x,y},a{y  > 
0),  True),  I3  I2  =  ({*},  {y},  x  >  0  Ay  >  x),  and 

A{h  h)  =  {{x,  y},  D{x  >  0),  D{x  >  0)  U(y  >  *)). 
On  the  other  hand,  we  also  obtain 

Ajh)  <»  Ajh)  =  {{x,  y},  a{y  >  x)  -a  n(y  >  0),  0(y  >  x)), 

takes  precedence  over  -A,  so  Din((/>)  -A  Gif)  means 
(Gin{(l>))  -A  Gif. 


which  is  clearly  not  equal  to  A{l3  ^  I2).  In  fact,  the  se¬ 
quence  (x„,y„)  where  x„  =  —1  and  yn  =  —3  for  all  n  €  N 
satisfies  the  assumptions  of  A {13)1^1  A {I2)  but  does  not  satisfy 
the  ones  of  A{l3  I2). 

Again,  we  see  that  the  assumptions  refer  to  output  vari¬ 
ables,  and  do  not  contain  the  important  new  assumption 
a;  >  0  induced  by  interface  composition,  and  which  is  crucial 
to  guarantee  interface  compatibility.  Note  that  we  can  still 
conclude  that  A(l3)  ®  A{l2)  is  indeed  compatible,  since  its 
assumptions  are  y-receptive.  However,  we  are  also  interested 
in  inferring  the  largest  set  of  environments,  with  respect  to 
set  inclusion,  that  is  allowed  by  the  composite  contract,  cap¬ 
tured  by  the  new  assumption  Gx  >  0.  To  obtain  this,  we 
introduce  a  new  projection  operation  on  contracts,  which  we 
call  assumption  projeetion  (AP). 

Definition  3.2.  Civen  a  contract  C  =  {V,A,G),  and  a 
subset  W  C  V,  the  assumption  projection  of  C  with  respect 
to  W  (APw)  returns  the  new  saturated  contract 

APw{C)  =  {V,'iW  :  A,  (VIE  :  A)  G). 

We  use  the  fact  that  the  universal  quantifier  is  commu¬ 
tative  and  associative  to  lift  it  to  sets  of  variables  in  Deh- 
nition  3.2,  so  that  VIE  :  A  :=  (Vwi  :  Vw2  :  ...  :  Vw„  :  A) 
when  IE  =  {wi,  W2, . . . ,  w„}.  We  are  now  ready  to  state 
the  following  theorem,  which  relates  serial  composition  of 
interfaces  with  serial  composition  of  contracts. 

Theorem  3.3.  Given  two  relational  interfaces  I\  and  I2 
with  sets  of  output  variables  Ei  and  Y2,  respectively,  we  have 

A{h  I2)  =  APy,uy2{A{Ii)  0  Aih)).  (3) 

Moreover,  7i  and  I2  are  compatible  iff  APyiuY2  (3"(-^i)  ® 
A{l2))  is  compatible. 

Before  proving  Theorem  3.3,  we  introduce  the  following 
lemma,  which  will  be  used  in  the  proof. 

Lemma  3.4.  Given  the  interfaces  Ii  =  {Xi,Yi,  (fi)  and 
I2  =  {X2,Y2,4>2),  let  Ip  =  □(VE  :  <^i  -A  in{(p2)),  and  f)'  = 
(VEi  :  G(pi  -A  Gin{(p2)).  Then,  if  G{in{4>-i))  is  True,  we 
have  Ip  AA  Ip' . 

Proof  (Lemma  3.4).  Suppose  first  that  is  True,  and 
suppose  that  on  all  sequences  1/1, „  of  valuations  over  Yi,  G(pi 
holds.  Then,  for  all  n,  for  all  valuations  {x\,n,X2,n,yi,n) 
over  {Xi,X2,Yi),  we  have  (xi,„,  X2,n,  yi,n)  h  <(i-  Hence, 
by  Ip,  we  also  have  that  for  all  n,  for  all  the  valuations  over 
(Xi,X2,Yi),  {xi^„,X2,n,yi,u)  |=  in{(p2)-  This  implies  that 
Gin{<p2)  is  also  valid  for  all  sequences  of  valuations  over  Yi, 
and  tp'  is  True.  Therefore,  we  conclude  that  %p  ^  ip' . 

To  prove  that  fi'  -A  ip,  we  now  assume  that  ip  is  False, 
and  prove  that  tp'  must  also  be  False.  In  fact,  if  tp  is 
False,  then  there  exists  a  sequence  {xi^k,X2,k)  of  valuations 
over  {Xi,X2),  an  index  i  G  N  and  a  valuation  y*  over  Yi 
such  that  {xi.i,X2,i,y*)  |=  (pi  and  {xi,i,  X2,i,y*)  in{(p2). 

Consider  such  a  sequence  {xi^k,X2,k)-  Then,  since  Gin{(pi) 
holds  by  hypothesis,  we  know  that,  for  all  k,  it  is  pos¬ 
sible  to  find  such  that  (xi^k,yi,k)  \=  <pi-  Therefore, 
starting  from  {xi,k,X2,k),  we  can  construct  a  new  sequence 
Sfe  =  {xi,k,X2,k,yi,k)  such  that  Vfc  i,  =  yi^k,  and 
for  k  =  i,  yiy  =  y* .  By  construction,  Sk  |=  Gcpi  but 
Sfe  ^  Gin{(p2),  i.e.  Sk  falsifies  ip' .  We  can  therefore  con¬ 
clude  -'V'  -A  -lip' ,  which  is  what  we  wanted  to  prove.  □ 


We  can  now  prove  Theorem  3.3. 

Proof  (Theorem  3.3).  Both  the  left  and  right-hand  side 
contracts  Cl  and  Cr  in  (3)  are  in  satnrated  form  by  deh- 
nition  of  T  and  of  AP.  To  prove  that  Cl  and  Cr  are  equal 
we  need  to  prove  that  they  have  the  same  assumption  and 
guarantee  sets.  We  hrst  compute  assumptions  and  guaran¬ 
tees  for  Cr.  By  applying  (1)  and  (2)  and  the  definition  of 
T  we  obtain: 

G®  =  — >•  Di))!)  A  {nin{(j)2)  — >■  Ci<j)2)  (4) 

A®  =  {nin{cj)\)  A  Uin{cj}2))  V  -iG® 

=  □(m(<()i)  A  in{4>2))  V  {nin{(f>i)  A  (5) 

V  {Din{4>2)  A 

where  A®  and  G®  are  the  assumptions  and  guarantees  of 
T(7i)  (8)  ff(72).  Finally,  after  assumption  projection,  we  ob¬ 
tain: 

Ar  =  vyivy2 :  A® 

=  Vyi  :  D{in{<j)i)  A  in{(j>2))  V  {Din{(j>i)  A  -■□flii) 

V  (vy2  :  (□m(<(.2)  A  ^□())2)) 

=  Vyi  :  A  in{cf>2))  V  {Din{4>i)  A  -■□flii) 

=  Vyi  :  C\in{(f)i)  A  (□m(02)  V  -■□flii) 

=  C\in{(j)i)  A  (Vyi  :  D^i  — >■  □m(((>2)) 


Cr  —  Ar  — >■  G® 

=  Uin{4>i)  A  (Vn  :  ^  □m(<(.2))  (7) 

— >■  V  A  {C\cj}2  V  -'□m(())2)) 

Consider  now  the  assumptions  of  Cl-  We  obtain: 


Al  =  Uin{4,)  =  □  [3yi3y2  :  <))i  A  02  A  (V^  :  0i  m(02))l 
=  □  [(Vyi  :  01  ^  m(02))  A  (3yi  :  0i  A  m(02))l 
=  □  [(vyi  :  01  ->•  m(02))  A  m(0i)] 

=  □(Vyi  :  01  — >■  m(02))  A  □m(0i) 

(8) 


while  for  Gl  we  obtain 

Cl  =  □(Vn  :  01  ^  m(02))  A  □m(0i) 

□(01  A  02  A  (Vyi  :  01  ->•  m(02))). 


(9) 


The  equivalence  of  the  assumptions  Al  and  Ar  directly 
descends  from  Lemma  3.4.  To  prove  the  equivalence  of  Gl 
and  Gr  it  is  enough  to  prove  that,  if  Al  or  Ar  is  True,  then 


(□m(0i)  — >■  001)  A  (□m(02)  — >■  002)  aa  0(01  A  02).  (10) 


Clearly,  if  the  formula  on  the  left  side  of  the  double  impli¬ 
cation  in  (10)  is  True,  the  formula  on  the  right  side  is  also 
trivially  True  when  Ar  and  Al  are  True.  Suppose  now  that 
the  left-hand  side  of  (9)  is  True.  Since  Al  and  Ar  are  True 
then  0^11(01)  is  True,  which  implies  001  is  True.  On  the 
other  hand,  by  Al  and  Ar  being  again  True,  we  also  have 

□  (VTi  :  01  — >■  m(02))  A  001  — >■  C\in{(f)2). 

This  allows  us  to  conclude  that  002  is  also  True  and  h- 
nally  (10)  holds.  We  have  therefore  proved  (3). 

Let  now  0  =  0i  A  02  A  (VTi  :  0i  — >■  in  (02))  be  the  formula 
associated  with  7i  ^  I2.  Ii  and  I2  are  compatible  if  and 
only  if  0  is  satishable.  On  the  other  hand,  APy^uY'2  (17(7i)  <8) 
17(72))  is  compatible  if  and  only  if  its  assumptions  Ar  are 


satishable.  Then,  to  prove  the  last  statement  of  the  theorem, 
we  need  to  prove  that  0  is  satishable  if  and  only  if  A_r  is 
satishable.  This  can  be  directly  inferred  from  the  fact  that 
A_r  =  Al  =  0^(0).  In  fact,  □m(0)  is  satishable  if  and 
only  if  m(0)  is  satishable,  i.e.  if  and  only  if  0  is  satishable, 
which  concludes  our  proof.  □ 

Assumption  projection  hides  the  controlled  variables  of 
the  composite  contract  from  its  assumptions,  thus  enabling 
preservation  of  serial  composition  and  compatibility  between 
interfaces  and  their  associated  contracts.  However,  we  ob¬ 
serve  that  this  operator  is  not  straightforward  to  implement, 
since  LTL  is  not  closed  under  projection  [12].  For  instance, 
consider  the  LTL  formula  0  over  two  Boolean  variables  s 
and  p: 

0  :=  p  A  □(«  — >■  p)  A  □(«  — >■  0“'s)  A  □(-'S  — >■  Os) 

It  can  be  shown  that  there  is  no  LTL  formula  over  p  that 
characterizes  exactly  the  set  of  inhnite  traces  obtained  by 
projecting  the  traces  characterized  by  0  onto  the  p  variable. 

3.2  Refinement 

While  T  does  not  generally  preserve  serial  composition,  it 
preserves  rehnement,  as  the  following  theorem  shows. 

Theorem  3.5.  Given  two  relational  interfaces  li  and  I2, 
then  7i  C  I2  if  and  only  i/T(7i)  ^  -7(72). 

Proof.  Let  h  =  (Xi,yi,0i)  and  I2  =  {X2,Y2,(j)2).  By 
dehnition  of  rehnement,  we  recall  that  I\  C  I2  if  and  only 
(m(02)  — >■  in{4>\)  A  (0i  — >■  02))  is  valid  or,  equivalently,  the 
following  two  formulas 


77i(02)  — >■  77l(0l) 

(11) 

77i(02)  a  01  ->•  02 

(12) 

are  both  valid.  Moreover,  by  dehnition  of  T,  we  have 
T(7i)  =  (Ti  U  X2,  □m(0i),  Uin{<t>i)  001) 

17(72)  =  {Y\  U  A2, 0171(02),  0771(02)  — >■  002). 

We  hrst  prove  that  7i  C  72  — >■  17(7i)  ^  17(72).  Let  Ai  and 
Gi  be,  respectively,  the  assumptions  and  the  guarantees  of 
17(7i).  We  need  to  show  that  formulas  (11)  and  (12)  imply 
A2  — >■  Al  and  Gi  — >■  G2.  Assume  A2  =  □7n(02)  is  True, 
then,  by  (11),  Ai  =  □7n(0i)  is  also  True',  therefore,  A2  — >■ 
Al.  Assume  now  that  Gi  is  True,  i.e.  either  □7n(0i)  is  False 
or  001  is  True.  If  □m(0i)  is  False,  then  from  A2  — >■  Ai, 

□  771(02)  is  also  False,  which  makes  G2  True.  If  O0i  is  True, 
then,  by  (12),  we  conclude  O7n(02)  — >■  002,  hence  G2  is 
again  True.  We  therefore  conclude  that  Gi  — >■  G2. 

We  now  prove  that  if  17(7i)  ^  17(72),  i.e.  A2  — >■  Ai  and 
Gl  — >■  G2,  then  (11)  and  (12)  are  valid.  To  do  so,  we  assume 
instead  that  7i  g  I2  and  show  that  17(7i)  17(72).  In  fact, 

if  (11)  is  not  valid,  then  we  can  create  a  sequence  Xn  of 
valuations  over  X2  and  an  index  7  such  that  Xn  |=  in{(j>2) 
for  all  71,  and  Xi  y=  7n(0i).  Then,  for  such  a  sequence, 

□  771(02)  is  True  while  O77i(0i)  is  False,  which  means  that 
A2  — >■  Al  is  not  valid.  Similarly,  assume  (12)  is  not  valid; 
then  we  can  create  a  sequence  of  valuations  (xn,yn)  for  the 
variables  in  X2  U  Yi  and  an  index  7  such  that  {xn,yn)  ^ 
77i(02)  and  {x„,y„)  |=  0i  for  all  n,  while  {xi,yi)  ^  02. 
However,  this  implies  that  O0i,  hence  Gi  is  True  while  G2 
is  False,  since  O77i(02)  is  True  without  002  being  True. 
Therefore,  Gi  — >■  G2  is  also  not  valid,  which  allows  us  to 


(a)  (b) 


Figure  2:  Configurations  considered  in  Example  3. 

conclude  (/i  2  ^2)  — >■  (9^(^i)  2^  9"(-^2)),  as  we  wanted  to 
prove.  □ 

To  enable  compositional  methods  in  system  design,  it  is 
useful  to  investigate  whether  refinement  is  preserved  by  com¬ 
position.  For  both  relational  interfaces  and  A/G  contracts 
refinement  is  preserved  by  parallel  composition  and  serial 
composition  [4,5].  However,  this  is  not  always  the  case  for 
feedback  composition.  In  relational  interfaces,  feedback  pre¬ 
serves  refinement  only  if  the  interfaces  are  “Moore”  with  re¬ 
spect  to  the  input  variables  involved  in  the  connection,  i.e., 
when  the  fed-back  output  only  depends  on  state  variables 
but  not  on  current  inputs  [4].  In  A/G  contracts,  refinement 
is  instead  preserved  by  feedback  composition  [5]. 

An  in-depth  investigation  of  the  properties  of  feedback 
composition  is  out  of  the  scope  of  this  paper.  In  what  fol¬ 
lows,  we  discuss  just  one  property  of  interest.  First,  we 
provide  a  definition  of  feedback  for  A/G  contracts. 

Definition  3.6  (Feedback  Composition  of  A/G  Contracts). 
Given  a  contract  C  =  {V,  A,  G)  and  a  feedback  connection 
K  =  {x,  y)  €  on  C,  let  Cid  be  the  contract  defined  as 
Cid  =  ({*,2/},  True,\I\{x  =  y)).  Then,  k  defines  a  new  con¬ 
tract  k{C)  :=  C  ®  Cid- 

Theorem  3.7  (Refinement  under  Feedback  Composition). 
Let  I\  =  (A,  y,  </i)  and  I2  =  {X,Y,(j>2)  be  two  relational 
interfaces  and  k  =  {x,y)  £  X  x  Y  a  feedback  connection  on 
the  associated  contracts  T(7i)  and  T{l2),  then 

(7i  C  I2)  ^  («(T(7i))  ^  niTih))) ,  (13) 

provided  that  k(T(72))  is  compatible. 

Proof.  By  Theorem  3.5,  we  know  that  if  I\  C  I2  then 
T(7i)  ^  17(72).  By  definition  of  k,  we  also  have  k(T(7i))  = 
T(7i)  (g)  Cid  and  k{J{I2))  =  Tih)  0  Cid,  Cid  being  the  con¬ 
tract  {{x,y},  True,n{x  =  y)).  Then,  by  Property  3  (in¬ 
dependent  implementability)  of  the  parallel  composition  of 
contracts  in  [6],  if  K.{fJ{l2))  is  compatible,  we  can  conclude 
that  k(T(7i))  is  also  compatible  and  k(17(7i))  ^  k{3'{I2)), 
as  we  wanted  to  show.  □ 

We  observe  that  (13)  holds  even  if  7i  and  I2  are  not 
Moore  with  respect  to  x,  in  which  case  k{Ii)  C  r(72)  is  not 
guaranteed.  As  illustrated  by  the  following  two  examples, 
k(7i)  C  r(72)  may  not  hold  either  because  4>k(Ii)  is  False 
(Example  3)  or  because  {4’k(Ii)  4>k(I2))  is  False  (Exam¬ 

ple  4). 

Example  3.  Consider  I  a  =  {{x,z},{y},  True)  and  Ib  = 
({x,z},{y},x  7!  y)  as  in  Fig.  2  (a).  I  a  does  not  make  any 
assumptions  on  the  inputs  and  any  guarantee  on  the  out¬ 
puts,  while  Ib  guarantees  that  the  value  of  the  output  is  dif¬ 
ferent  from  the  value  of  the  input.  We  have  Ib  C  Ia  since 


in{(j)A)  =  in{4>B)  =  True  and  4>b  — >■  <t>A.  However,  given 
=  {{z},  {y,  a:},  x  =  y)  and  k{Ib)  =  ({2},  {y,  x},  False), 
obtained  as  shown  in  Fig.  2  (b),  is  clearly  k[Ib)  2  k,{Ia) 
since  <j>K,{iB)  False.  Consider  now  the  associated  con¬ 
tracts  A  =  {V,  True,  True)  and  B  =  (V)  True,ni{y  x)) 
on  variables  V  =  {x,y,z}.  We  have  B  <  A,  k{A)  = 
{V,  True,ni{y  =  a:)),  k{B)  =  (V,  True,  False),  and  k{B)  ■< 
k{A).  Therefore,  refinement  is  preserved  by  feedback  compo¬ 
sition,  even  if  n{B)  is  inconsistent. 

Example  4.  Consider  now  Ia  =  ({a:},  {y},  (a;  yf  0)  A  {xy  = 
1))  and  Ib  =  {{x},{y},(x  7!  0)  — >■  {xy  =  1)).  We  have 
Ib  C  I  a  since  in{(j)A)  =  {x  ^  0),  in{4>B)  =  True  and  {4>b  — > 
4>a)  =  {x  yb  0).  However,  given  k{Ia)  =  {9,{y,x},{x^  = 
1)  A  (a;  =  y))  and  k{Ib)  =  (0,  {y,  a;},  (a;  7!  0  — >■  a:^  = 
l)A(a;  =  y)),  we  obtain  k{Ib)  2  i<-{Ia).  In  fact,  in{4>f^(ij^))  = 
*r(/’k(/^))  =  True;  however,  (pKiis)  False.  Con¬ 

sider  now  the  associated  contracts  A  =  (F,  □(a;  2  0),  □(a:  2 
0)  -A  0{xy  =  1))  and  B  =  {V,  True,\I\{{x  7!  0)  — >■  {xy  =  1)) 
on  variables  V  =  {x,y}.  Since  k{A)  =  {V,\I\{x  2  0)  V 
“•□(t/  =  a;),  (0(3;  2  0)  — >■  \I\{x^  =  1))  A  □(?/  =  x))  is  compat¬ 
ible,  k{B)  is  also  compatible  and  n{B)  <  k{A).  In  this  case, 
however,  k{B)  is  also  consistent. 

3.3  Conjunction 

Even  if  17  preserves  refinement,  it  does  not  preserve  con¬ 
junction.  First,  conjunction  (shared  refinement)  is  not  al¬ 
ways  defined  for  relational  interfaces.  For  A/G  contracts, 
conjunction  can  always  be  defined  as  the  GLB  of  the  refine¬ 
ment  relation,  but  it  can  still  generate  inconsistent  contracts, 
as  illustrated  by  the  following  example. 

Example  5.  Consider  Iqo  =  ({a;},{2/},a:  =  0  —)■  y  =  0) 
and  7oi  =  {{x},{y},x  =  0  — >■  1/  =  1).  As  discussed  in  [4], 
they  are  not  shared  refinable,  since  it  is  not  possible  to  guar¬ 
antee  y  =  0  and  y  =  1  at  the  same  time.  However,  con¬ 
junction  can  still  be  defined  for  their  associated  contracts 
l7(7oo)  =  {{x,y},  True,n{x  =  0  -)■  j/  =  0))  and  T(7oi)  = 
({a;,  y}.  True,  \Ii{x  =  0  — >■  j/  =  1)),  although  it  only  generates 
the  inconsistent  contract  {{x,y}.  True,  False) . 

When  conjunction  is  well-defined  in  both  frameworks,  the 
contract  associated  with  the  conjunction  of  two  interfaces  is, 
in  general,  a  refinement  of  the  conjunction  of  the  contracts 
associated  with  the  interfaces,  as  stated  by  the  following 
theorem. 

Theorem  3.8.  Let  I  =  {X,  Y,  <f>)  and  I'  —  {X,  Y,  fi')  be  two 
shared-refinable  relational  interfaces.  Then  we  have 

J(7n7')  217(7)A17(7'),  (14) 

with  17(7  n  I')  2  17(7)  A  17(7')  in  general. 

Proof.  We  recall  that  7  n  7'  =  {X,  F,  </n),  where 

fin  =  (*r(/>)  V  in{(f>'))  A  {in{4>)  —>■/>)  A  {in{4>')  -A  fi'), 

where  in{fpn)  =  in{<j))\/  in{(f>')  by  Lemma  8  in  [4].  Therefore, 
by  transforming  7 n 7',  we  obtain  17(7n7')  =  {XuY,An,Gn), 
where 

An  =  0{in{(j))  V  in{4>')) 

and 

Gn  =  □(m((())Vin((/'))  — >■  {D{in{(l>)  -A  fi)  AD  {in  {()>')  -A  <j>)). 


Moreover,  by  definition  of  conjunction,  we  obtain  9"(/)  A 
3^(7')  =  (X  U  y,MA,  Ga),  where 

AIa  =  Oin{4>)  V  nin{4>') 

and 

Ga  =  (□m(0)  Dfli)  A  (□m(0')  □cyi')- 

It  is  straightforward  to  see  that  A/\  — >■  An-  On  the  other 
hand,  we  also  notice  that  An  A/\.  In  fact,  any  sequence 
x„  such  that  xi  |=  xi  ^  in{cj}'),  and  Xn  \=  in{(f>')  for 

all  n  >  1,  satisfies  A^  but  does  not  satisfy  An- 
We  also  observe  that  Gn  — >■  Ga-  In  fact,  Ga  is  triv¬ 
ially  True  if  both  and  □m(0')  are  False.  If 

is  instead  True,  then,  because  Gn  is  True,  — >■  (p) 

is  True,  which  implies  that  \A(j)  is  also  True.  Similarly,  if 
niin{<j)')  is  True,  □(/)'  will  also  be  True.  Therefore,  in  all 
cases,  both  the  implications  in  Ga  will  be  True  under  the 
assumption  that  Gn  is  True.  On  the  other  hand,  we  also 
notice  that  Ga  -fr  Gn-  In  fact,  any  sequence  such 

that  xi  \=  in{(j>),  Xi  ^  in{4>'),  Xn  |=  in{4>')  for  all  n  >  1, 
and  (a;i,yi)  ^  cp,  would  certainly  satisfy  Ga  but  not  Gn- 
Therefore,  the  contract  associated  with  the  shared  refine¬ 
ment  of  I  and  I'  is  indeed  a  refinement  of  the  conjunction 
of  the  contracts  associated  with  I  and  and  equality  does 
not  generally  hold-  □ 

4.  CONCLUSIONS  AND  FUTURE  WORK 

This  paper  has  established  a  link  between  the  theory  of 
relational  interfaces  and  the  one  of  A/G  contracts,  shed¬ 
ding  light  on  some  of  their  key  features  for  system  design 
specification,  early  detection  of  incompatibilities,  and  prin¬ 
cipled  use  of  abstraction-refinement.  Future  extensions  of 
this  work  include  studying  the  properties  of  the  proposed 
transformation  with  respect  to  feedback  composition,  as  well 
as  its  generalization  to  the  theory  of  interface  automata.  We 
are  also  interested  in  investigating  a  reverse  transformation 
that  maps  A/G  contracts  into  relational  interfaces,  which  re¬ 
quires  extending  the  latter  with  liveness  properties.  Finally, 
the  implementation  of  the  assumption-projection  operator 
on  LTL  contracts  will  also  be  considered  as  future  work. 
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